[Announce] A new GnuPG snapshot (unstable)

Werner Koch wk at gnupg.org
Sat Nov 3 15:44:01 CET 2001

On Sat, 3 Nov 2001 13:41:52 +0100 (CET), Stefan H Holek said:

> I gave 1.0.6b a spin recently and found that the trustdb stuff has
> considerably improved over 1.0.6. This is good news! Even expired keys do
> now work for key validation, they did not in plain 1.0.6...

I hope you mean that they are not used for key validation ...

> BTW, gpg --list-keys --with-colons does not display the ownertrust
> anymore!? Maybe I am just missing something here...

Well, there are a lot of minor (?) bugs.

> What exactly is the rational behind beeing able to set someone's public
> key to ultimatley trusted? It is my understanding that what makes a key
> ultimately trusted is the fact that I own the private key as well.

The old way was to assume that the availability of a secret key does also
mean you trust this key ultimately.  This has some security issues"
for example you might have imported imported one of the demo secret
keys, and attacker can now fool you by signing his key with this
public known secret key.

The reason for --trusted-key and the new way of explicitly setting a
key to ultimately trusted is that you might not want to keep your
secret certification key online which is not needed for every days
use.  So in my case I have set 5b0358a2 to ultimate trust although
that the secret key is stored at a safer place.

> What is the difference between ultimately and completely trusted when 

Ultimately trusted means the end-point of a certification path; this
is similar to the root certificate in X.509.  Completely means that
the key is considered valid after checking the Web of Trust.


Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus

More information about the Gnupg-devel mailing list